[j-nsp] Bizaare bug of the year award
Stacy W. Smith
stacy at acm.org
Fri Sep 26 10:03:16 EDT 2008
Richard,
I've filed PR 389794 to track this issue.
--Stacy
aka sws at juniper.net
On Sep 25, 2008, at 3:17 PM, Richard A Steenbergen wrote:
> Ok, I just found a Juniper bug that is so strange I can't even bring
> myself to open a case for it. Not only because I can just imagine
> trying
> to explain it to JTAC, but because it is so freaking bizaare and funny
> that I just have to share it with others. :)
>
> It seems that in 9.1+ code there is a bug in the traceroute
> application,
> which causes it to query the incorrect reverse DNS for certain IP
> addresses. The nameservers and the resolv lib on the router itself are
> fine, you can do a "host x.x.x.x" and get correct results, it is only
> the traceroute application which is broken. JUNOS 9.0 and earlier is
> confirmed to be working correctly, JUNOS 9.1/9.2 is confirmed to be
> broken on all versions.
>
> Here is an example:
>
> traceroute to ytti.fi (62.236.255.178), 30 hops max, 40 byte packets
> ...
> 7 te0-2-0-0-10G.alb2nqh1.ip.tele.dk (83.88.20.25) 148.334 ms
> 126.819 ms 126.299 ms
> 8 pos0-0-0-0-10G.stkm3nqh1.ip.tele.dk (83.88.27.6) 156.377 ms
> 127.819 ms 126.253 ms
> 9 Wimax-Cali-190-0-0-61.orbitel.net.co (62.236.181.189) 126.271
> ms 126.310 ms 126.189 ms
> 10 Wimax-Cali-190-0-0-16.orbitel.net.co (62.236.181.16) 130.327
> ms 126.542 ms 126.455 ms
> 11 Wimax-Cali-190-0-0-29.orbitel.net.co (62.236.182.29) 126.178
> ms 126.272 ms 126.346 ms
>
> As you can see, it seems to be querying the incorrect IP for hops 9,
> 10,
> and 11. Here is a tcpdump from the router itself showing that the
> traceroute app is actually querying for the wrong ptr:
>
> IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto: UDP (17),
> length: 119) ns1.mynameserverhere.net.domain >
> lo0.myrouterhere.net.56079: [udp sum ok] 11052 q: PTR?
> 29.0.0.190.in-addr.arpa. 1/0/0 29.0.0.190.in-addr.arpa. PTR
> Wimax-Cali-190-0-0-29.orbitel.net.co. (91)
>
> As you can see, hops 10 and 11 are directly mapping of the last
> octet to
> a query of 190.0.0.x, but hop 9 is not. However, since 189-61=128, you
> can clearly see that hop 9 is actually zeroing out the top bit (or
> bits)
> of the last octet.
>
> Here is another example of the brokenness:
>
> traceroute to www.telekom.de (217.6.10.34), 30 hops max, 40 byte
> packets
> ...
> 6 Wimax-Cali-190-0-0-42.orbitel.net.co (62.154.16.234) 13.428 ms
> Wimax-Cali-190-0-0-46.orbitel.net.co (62.154.16.238) 15.618 ms
> Wimax-Cali-190-0-0-42.orbitel.net.co (62.154.16.234) 15.574 ms
>
> Only thing in common here is the 62 first octet, though you can now
> see
> that its zeroing out the top 2 bits when doing its lookup. No clue if
> there are any other patterns of IPs where this happens also, if all of
> 62.0.0.0/8 is broken, etc, but its definitely been confirmed on many
> routers.
>
> Bonus points to any jnpr developer who can tell me how you guys
> actually
> managed to break this, because this is an award winner in my book. :)
>
> --
> Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1
> 2CBC)
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list